WIP nomad vault db integration
This commit is contained in:
parent
af743820ec
commit
420e67b68b
@ -1,3 +1,4 @@
|
|||||||
|
# Set up nomad provider in vault for Nomad ACLs
|
||||||
resource "nomad_acl_token" "vault" {
|
resource "nomad_acl_token" "vault" {
|
||||||
name = "vault"
|
name = "vault"
|
||||||
type = "management"
|
type = "management"
|
||||||
@ -29,3 +30,68 @@ path "nomad/creds/nomad-deploy" {
|
|||||||
}
|
}
|
||||||
EOH
|
EOH
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Nomad Vault token access
|
||||||
|
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
||||||
|
role_name = "nomad-cluster"
|
||||||
|
token_explicit_max_ttl = 0
|
||||||
|
allowed_policies = ["access-tables"]
|
||||||
|
orphan = true
|
||||||
|
token_period = 259200
|
||||||
|
renewable = true
|
||||||
|
}
|
||||||
|
|
||||||
|
# Policy for nomad tokens
|
||||||
|
resource "vault_policy" "nomad-token" {
|
||||||
|
name = "nomad-server"
|
||||||
|
policy = <<EOH
|
||||||
|
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
||||||
|
# should be updated if "nomad-cluster" is not used.
|
||||||
|
path "auth/token/create/nomad-cluster" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up "nomad-cluster" token role. The token role name should be
|
||||||
|
# updated if "nomad-cluster" is not used.
|
||||||
|
path "auth/token/roles/nomad-cluster" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up the token passed to Nomad to validate # the token has the
|
||||||
|
# proper capabilities. This is provided by the "default" policy.
|
||||||
|
path "auth/token/lookup-self" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up incoming tokens to validate they have permissions to access
|
||||||
|
# the tokens they are requesting. This is only required if
|
||||||
|
# `allow_unauthenticated` is set to false.
|
||||||
|
path "auth/token/lookup" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow revoking tokens that should no longer exist. This allows revoking
|
||||||
|
# tokens for dead tasks.
|
||||||
|
path "auth/token/revoke-accessor" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow checking the capabilities of our own token. This is used to validate the
|
||||||
|
# token upon startup.
|
||||||
|
path "sys/capabilities-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow our own token to be renewed.
|
||||||
|
path "auth/token/renew-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create a vault token for Nomad
|
||||||
|
# resource "vault_token" "nomad-token" {
|
||||||
|
# policies = ["nomad-server"]
|
||||||
|
# period = "72h"
|
||||||
|
# no_parent = true
|
||||||
|
# }
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user